Jack is a man of a great many talents. The zoo has employed him to capture the penguins due to his years of penguin-wrangling experience, but all is not as it seems… We must stop him! Can you see through his facade of a forgetful old toymaker and bring this lunatic down?
Time to hack this box, fist we start of with a version can of the box using Nmap.
Nmap -A -oN version-scan 10.10.43.162
This is strange, it looks like the ports are reversed, we have a website on Port 22, which is usually SSH and SSH on Port 80.
Lets check out the website at http://10.10.43.162:22
Firefox blocks the website as it is running on Port 22. A bit of Googling and we can find a way to bypass this restriction. Check out the following website.
Let’s inspect the source code, yes there is some interesting stuff in here.
So we find a password, but at this stage I am not sure what it is fof.
There is also an image called stego.jpg which could mean it contains some steganography. Set wget this image for later analysis.
Let’s run this through Steghide to see whether there is any important information contained inside the image. Using the password as the passphrase, we see there is a file called creds.txt embedded in the image.
We can extract this using Steghide:
Looks like a rabbit hole, were on the right path but wrong image.
There are two other images on this page, jackinthebox.jpg and header.jpg. I will download these also. Header gives us a result using the same password:
Let’s extract the hidden file cms.creds
As this states cms.creds, we can try using these with the /recovery.php file on the website.
Entering the username and password into the recovery.php, we get the following hint.
This looks like a command injection vulnerability in the website.
Let’s try extended ?cmd=ls
Note that I have switched to view source after this command so as to clearly see the output. Lets try to view the home directory:
There are two duplicate file which look interesting and also have read access, let’s looks at the jacks_password_list. We also have the user ‘jack’
Let’s bruteforce the ssh using user jack and the password list; however, before that we need to copy the list and put into a file, which I will call password_list.
Notice that I use the -s flag as the ssh service is not on the standard port
We can now login to SSH using the username and password
Although the ssh gives a good stable shell, I prefer to connect back to a Pwncat listener as this gives me much flexibility and automation.
Let’s navigate to jacks home directory and hopefully get the flag.
Unfortunately we do not appear to have the conventional user.txt file; however, we do have a user.jpg.
Using Pwncat we can simple change to Local using Crtl D and user simple type download user.jpg.
Excellent — We have the user flag and a fantastic recipe for Penguin Soup which I have saved to my recipe database:-).
Privesc
Unfortunately Jack does not have any Sudo rights. Now I am going to show you the magic of Pwncat for Privesc. This may be a bit cheating, so I will cover privesc enumeration after.
With Pwncat:
Switching to Local with Crtl D we can enter a single command
privesc -l
This will automatically enumerate attack vectors for privesc enumeration using many live of the land exploits such as SUID etc. Almost instantly we get the following:
We can see that we have a privesc to read files as a privileged user, as Strings is being run as root. Using GTFOBINS we can check out this privesc.
As stated by Pwncat we can only read a file as a privileged user as we do not have Sudo rights for Strings, so using the above ‘File Read’ privesc:
LFILE=/root/root.txt
strings “$LFILE”
Here I am assuming standard CTF convention in that the root flag is in the root directory as root.txt but maybe I am wrong.
And here we have the root flag and all made very simple with Pwncat.
Alternatively I would upload a privesc enumeration script like Linpeas, running this script we would see the following in the output:
Here I tried using find, but I could not get this to work; however it did find Strings and we could get privesc using the method above.
I enjoyed this box and it was good fun. Thank you to the developer of this box.
